Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Superset has issues using SECRET_KEY to decrypt encrypted data in postgres #714

Closed
HumairAK opened this issue Oct 19, 2021 · 1 comment
Closed

Superset has issues using SECRET_KEY to decrypt encrypted data in postgres #714

HumairAK opened this issue Oct 19, 2021 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@HumairAK
Copy link
Member

HumairAK commented Oct 19, 2021
edited
Loading

Upon reboot the init container will crash reporting the following:

  File "/usr/local/lib/python3.7/site-packages/sqlalchemy_utils/types/encrypted/encrypted_type.py", line 414, in process_result_value
    decrypted_value = self.engine.decrypt(value)
  File "/usr/local/lib/python3.7/site-packages/sqlalchemy_utils/types/encrypted/encrypted_type.py", line 128, in decrypt
    raise ValueError('Invalid decryption key')
ValueError: Invalid decryption key

But the SECRET_KEY is specified in the superset_config.py and pulled from a secret that never changes, so I'm not sure why this happens. To fix this issue we have to clear out the data that is using this key to encrypt said data. AFAIK this is only in the public.dbs table, the field password and encrypted_extra running the following fixes it:

$ oc rsh ${SUPERSET_DB_POD}
sh-4.2$ psql
postgres=# \connect supersetdb
supersetdb=# UPDATE public.dbs SET password = null;
supersetdb=# UPDATE public.dbs SET encrypted_extra = null;

However doing this requires one to go back and update the database password by re-entering them again, lest they won't work.

Possibly related threads:
@HumairAK HumairAK added kind/bug Categorizes issue or PR as related to a bug. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels Oct 19, 2021
@sefkhet-abwy sefkhet-abwy bot added the human_intervention_required to a human team mate! label Oct 19, 2021
@HumairAK HumairAK removed the human_intervention_required to a human team mate! label Oct 19, 2021
This was referenced Oct 19, 2021
Merged
Closed
Merged
@HumairAK
Copy link
Member Author

HumairAK commented Oct 25, 2021
edited
Loading

Okay pretty sure the reason why is because we set the SECRET_KEY to an env var that is not available to the init container, thus the init container uses the default value as specified here

Fix should be: operate-first/apps#1227

@durandom durandom transferred this issue from operate-first/operations Sep 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@HumairAK